Skip to main content

Red Hat/RPM automatic HTTPS configuration

danger

If you are changing your domain from HTTP to HTTPS, you will unlink all users' browser extensions. Before making this change, you must ensure that all users have a copy of their private key to recover their account.

Pro tip: To download their recovery kit, users can follow this dedicated guide

important

This tutorial assumes your machine has a valid domain name assigned in order to work with Let’s Encrypt.

warning

This configuration does not support running passbolt from a subdirectory like https://mydomain.com/passbolt. It is only designed to work with a Fully Qualified Domain Name (FQDN), either on the root domain https://mydomain.com or a subdomain https://passbolt.mydomain.com.

warning

The ACME challenge requires port 80 to be open and accessible from the internet. Some administrators disable HTTP traffic on port 80 for security reasons, but this will prevent TLS (SSL) certificate generation and renewal. Ensure port 80 is open in your firewall and not blocked by your hosting provider.

Install or reconfigure passbolt

The passbolt PRO RPM package includes a configuration helper tool to set up MariaDB, Nginx, and TLS (SSL) settings.

You must prepare your TLS (SSL) certificate and its corresponding private key before launching the tool. Be sure to write down the full path to your certificate and key files, as they will be needed in the nginx configuration process.

Please note that for security reasons, we highly recommend setting up TLS (SSL) to serve passbolt.

Launch the passbolt-configure tool and answer the questions:

sudo /usr/local/bin/passbolt-configure

If you are reconfiguring passbolt, you'll most likely want to answer ‘NO’ to the MariaDB or haveged setup questions and choose Nginx setup instead.


==============================================================
Do you want to install a local mariadb server on this machine?
==============================================================
1) yes
2) no
#?

Please enter the domain name under which passbolt will run.

Note

This hostname will be used as server_name for nginx and as the domain name to register a TLS (SSL) certificate with Let’s Encrypt if you don’t have your own TLS (SSL) certificate and its corresponding private key.

=========
Hostname: passbolt.domain.tld
=========

You will then be able to choose the auto setup.

==================
Setting up TLS (SSL)...
==================
1) manual
2) auto
3) none
#?

Finally, you will need to provide an email address for Let’s Encrypt to notify you for renewals and other administrative information:

Enter an email address to register with Let's Encrypt:

If everything goes fine you should see a final message that points you to finish passbolt configuration:

Success message
fig. Success message

Reload nginx after finish the reconfigure to use the SSL configuration.

sudo systemctl reload nginx
warning

Finally, ensure fullBaseUrl value in /etc/passbolt/passbolt.php starts with https://.

And that’s it you should be able to reach your server on the domain you specified.